Author Topic: Malware? (Read 1622 times)

Stoney · « **on:** February 09, 2011, 02:20:07 AM »

Ok, I've got this entry: HKLM:Run Amiwuguxavigame rundll32.exe "C:\WINDOWS\usehijucivic.dll",Startup in my startup list. I've tried CCleaner, MalwareBytes, MGAM, everything I can find that's supposed to be worthwhile to try and disable and remove this .dll and nothing works. I delete it, and it shows up again. Any idea what this is? Google search turns up nothing. I'm running Firefox for a web browser, Windows XP with SP3, with the most recent updates...

Charge · « **Reply #1 on:** February 09, 2011, 03:12:20 AM »

At least in Vista there is a way to track down programs which use that DLL and if the parent program monitors it presence in your system it is tracked too. My bet goes to some nasty bugger in your temp directory.

Have you tried rootkit detectors?

-C+

Ghosth · « **Reply #2 on:** February 09, 2011, 07:14:58 AM »

You might try booting to Linux distro from CD and then scan. Since it will no longer be protected under that OS it will probably remove it.

I've done that a time or 2 when I had nasty ones that wouldn't be fixed any other way.
Most good linux distro's have a boot from cd option that has built in virus scanner.

Or if your setup to dual boot you can use that to get around it.

FYI I seldom install Windows OS to C:/windows anymore, just because almost all bugs are written to look for it there. I may put a dummy or unused xp install there, but my main install will be on D:/. Its amazing sometimes how minor tricks like that can make a huge difference.

NormH3 · « **Reply #3 on:** February 09, 2011, 07:59:35 AM »

after removing the thing, you might try running a system restore to back before the thing showed up. It sounds like it has imbedded itself in the registry to respawn itself..this is assuming it is a badguy and not part of some legit program you have installed

Stoney · « **Reply #4 on:** February 09, 2011, 09:35:02 AM »

Quote from: Charge on February 09, 2011, 03:12:20 AM

Have you tried rootkit detectors?

-C+

MGAM is a rootkit detector, and it doesn't pick it up. The thing that concerns me is that I can't find the file name on google searches--most of the time if I see something suspicious, I do a google search, and one of the anti-malware websites has a listing of all the known files out there. I can't find anything about this one. First serious issue I've had since I started using Firefox...

MrRiplEy[H] · « **Reply #5 on:** February 09, 2011, 09:56:30 AM »

Quote from: Stoney on February 09, 2011, 09:35:02 AM

MGAM is a rootkit detector, and it doesn't pick it up. The thing that concerns me is that I can't find the file name on google searches--most of the time if I see something suspicious, I do a google search, and one of the anti-malware websites has a listing of all the known files out there. I can't find anything about this one. First serious issue I've had since I started using Firefox...

Any more advanced virus will generate files with random names just for this purpose. You might have 5-10 more hidden in random locations.

gpwurzel · « **Reply #6 on:** February 09, 2011, 11:12:26 AM »

Stoney, some links for linux distro standalone virus/malware killers
http://trinityhome.org/Home/index.php?wpid=113&front_id=12 Trinity Rescue Kit
http://www.avira.com/en/support-download-avira-antivir-rescue-system Avira (in case you cant get the virus killer updates for TRK

Wont bother with spybot s+d, or malwarebytes, as they are easy enough to find.

Hth,

Wurzel

Denholm · « **Reply #7 on:** February 09, 2011, 11:13:38 AM »

Quote from: NormH3 on February 09, 2011, 07:59:35 AM

after removing the thing, you might try running a system restore to back before the thing showed up. It sounds like it has imbedded itself in the registry to respawn itself..this is assuming it is a badguy and not part of some legit program you have installed

A lot of bugs (especially sophisticated bugs) will embed themselves in the restore point before proceeding to destroy your computer. Perhaps the worst thing you can do is attempt a restore.

I know it's another half-empty solution. Yet give AVG Anti-Rootkit Free a shot. I've used it in the past and had some decent results. No, it does not install AVG to your system.

http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml

gpwurzel · « **Reply #8 on:** February 09, 2011, 11:19:05 AM »

And a link to an online scanner (if you trust such things)

http://www.f-secure.com/en_US/downloads/ (left hand side, middle link)

Wurzel

Stoney · « **Reply #9 on:** February 09, 2011, 12:55:06 PM »

Just an update as I continue to work on this...

Found this file in my Temp directory: perflib_perfdata_614.dat Can't delete this file at all with any of my utilities and from a google search, it looks like its a known rootkit, or maybe a windows file?

For Ghost and GPwurzel, I don't have any experience with Linux. Are those applications self-contained or do I need to install Linux first, then run them?

(GPwurzel) Just saw you're in the Stumps--USMC?

Bizman · « **Reply #10 on:** February 09, 2011, 01:02:47 PM »

F-Secure also has a downloadable Linux based bootable Rescue-CD. I suppose it should do even better with rootkits than Avira's one. Depends mostly on hardware which one to choose. After that I'd run Anti Malware in Safe Mode with Networking. And after that I'd run some online scans, still in Safe Mode. Eset has a good one working also on Java instead of ActiveX (So does F-Secure's one, too), BitDefender may find what others ignore. There's a bunch of others, too, like TrendMicro Housecall. Last, in normal Windows, I'd run Microsoft's Live One Care.

Bizman · « **Reply #11 on:** February 09, 2011, 01:03:27 PM »

Can't modify... Quoting myself looked kinda stupid adding only one word

NormH3 · « **Reply #12 on:** February 09, 2011, 01:08:08 PM »

Quote from: Stoney on February 09, 2011, 12:55:06 PM

Just an update as I continue to work on this...

Found this file in my Temp directory: perflib_perfdata_614.dat Can't delete this file at all with any of my utilities and from a google search, it looks like its a known rootkit, or maybe a windows file?

For Ghost and GPwurzel, I don't have any experience with Linux. Are those applications self-contained or do I need to install Linux first, then run them?

(GPwurzel) Just saw you're in the Stumps--USMC?

Its an OS created file
http://techsalsa.com/information-on-perflib_perfdatadat-files-stored-in-local-temp-folder/

Stoney · « **Reply #13 on:** February 09, 2011, 01:11:37 PM »

Quote from: NormH3 on February 09, 2011, 01:08:08 PM

Its an OS created file
http://techsalsa.com/information-on-perflib_perfdatadat-files-stored-in-local-temp-folder/

Ah, ok. Probably not the cause of the original .dll file then

Denholm · « **Reply #14 on:** February 09, 2011, 01:59:27 PM »

Stoney, regarding your question about Linux, you have two options.

1. You can generate a LiveCD. Basically, this is an OS installer in which you download a bootable ISO from a website such www.linuxmint.com and burn it to a CD. Afterward, you boot from the disc and it automatically loads Linux without installing anything. The benefit is that you have a GUI Interface (similar to MAC) where you can open your Windows partition and remove any file you wish. In short, a temporary Operating System which goes away after a restart.

2. After burning a LiveCD, you can re-parition your hard-drive and install Linux.

Choice 1 is far better as it's less labor-intensive and reaps the same results.

Aces High Bulletin Board

Author Topic: Malware? (Read 1622 times)

Stoney

Malware?

Charge

Re: Malware?

Ghosth

Re: Malware?

NormH3

Re: Malware?

Stoney

Re: Malware?

MrRiplEy[H]

Re: Malware?

gpwurzel

Re: Malware?

Denholm

Re: Malware?

gpwurzel

Re: Malware?

Stoney

Re: Malware?

Bizman

Re: Malware?

Bizman

Re: Malware?

NormH3

Re: Malware?

Stoney

Re: Malware?

Denholm

Re: Malware?